This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

SSL VPN Authentication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL VPN Authentication

BBDOmexico
L1 Bithead

‎06-25-2010 09:57 AM

Hi Guys,

I have an issue with the SSL VPN authentication via RADIUS.

I have configured the RADIUS Server with this options:

Name:PANSSL

Address: 10.0.0.8

Vendor Name: RADIUS Standard

The Policy and Connection Type, is as follows:

Name: AccessVPN

Conditions: Windows User Groups, domain\domain_users

Access Permission: Access Granted

Authentication Method: Checked: Microsoft Encrypted Authetication version 2 (MS-CHAP-v2)

                                                 User can changed password after it has expired

                                                 Microsoft Encrypted Authentication (MS-CHAP)

                                                 User can changed password after it has expired

                                                 Unencrypted Authentication (PAP, SPAP)

RADIUS Attributes: Framed-Protocol: PPP

                             Service-type: Framed

I have a Windows Server 2003.

When I try to get access, It gives me the next error: User "domai\domai_user" failed authentication. Reason: User is not in allowlist.

I have modified the allow list, many times, rigth now I have all users in the allowlist, but it is not working.

I am working with a PAN-500, software version: 3.1.2, SSL-VPN Client 1.1.1, Application-Version 192-655, Threat version 192-655, Antivirus 240-279, URL Filtering 3376.

Any help?

Thanks in advance.

0 Likes Likes
3 REPLIES 3

nrice
L5 Sessionator

‎06-25-2010 11:02 AM

Here are a few questions/trouble shooting steps.  Are you using a pan-agent?  If so, there may be a connectivity issue.  The CLI command >show user pan-agent statistics, will help determine that.  If using the agent, are the users members of the configured group?   Use the CLI command > debug device server dump user-group <group name>.  If not using a pan-agent, when editing the allow list, type "all" (minus quotes) in the "Additional Users" box and see if that allows you to authenticate.  Beyond that, you may want to contact your support provider.

0 Likes Likes

sundbyberg
Not applicable

‎07-29-2010 03:58 AM

Late answer, I know. But for the record.

There is no support for ms-chap v2. You have to in the RADIUS server (sorry to say) only use PAP for authentication.

/ Mike

0 Likes Likes

BBDOmexico
L1 Bithead
In response to nrice

‎08-06-2010 08:25 AM

Hi NRICE,

1.I am using PAN-Agent version 3.1.2

2.The cli command show user.... gives me the next info:

admin@PA-500-BBDO> show user pan-agent statistics

Name             IP Address      Port    Vsys        State             Users  Grps  IPs       Activity Cnts Link Speed
----------------------------------------------------------------------------------------------------------------------
BBDOAgent        192.168.0.2     3033    vsys1       connected, ok     293    15    130       433           fast


2. I am using the Domain Users group.

3. The cli command debug device server dump.... gives me all the users that belong to the group.

Is there anything else that I need to check or some configuration that I need to add or delete?

Thanks in advance.

0 Likes Likes
  • 2573 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks